Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <511C4E5B.5090009@redhat.com>
Date: Wed, 13 Feb 2013 19:39:23 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        maxim@...oillogical.com
Subject: Some rubygems related CVEs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://github.com/rubysec/ruby-advisory-db/issues/7

=====================
omniauth-oauth2 CSRF

omniauth-oauth2 intridea/omniauth-oauth2#25
https://github.com/intridea/omniauth-oauth2/pull/25
https://gist.github.com/homakov/3673012
CSRF vulnerability, injecting state in session

Please use CVE-2012-6134 for this issue.

=====================
newrelic_rpm information disclosure

newrelic_rpm
https://newrelic.com/docs/ruby/ruby-agent-security-notification
A bug in the Ruby agent causes database connection information and raw
SQL statements to be transmitted to New Relic servers. The database
connection information includes the database IP address, username, and
password. The information is not stored or retransmitted by New Relic
and is immediately discarded.

Please use CVE-2013-0284 for this issue.

=====================
nori parameter parsing remote code execution

nori savonrb/nori@...f526 (related to 2013-0156)
 Fix for remote code execution bug. For more in-depth information,
read about the recent [Rails
hotfix](https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ).
Please make sure to upgrade now!

Please use CVE-2013-0285 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRHE5aAAoJEBYNRVNeJnmTmAYP/0Ih7uVNmA+OEhWCEbPA824J
AAy4x3S5EBjhPKwbCtc5rF6Lggt4uL6k6AKLDilSasMc+UCI7YBnKNOg5Y5GfbCz
8VjoQ/4iNf3VOV+SOmDq5dob0LDhgLRJtkaWiKRwiXRCwYHakJGGLAYGBGCfFDX4
Em75BMA2964DpBkdMfat4bGnS3Xip3i/yUJq8RikwkBQgTiB1NBShwjZ6yQ0wioA
UonyOP1RZprsn1UZRus+/TcpFAR+JS9bZ0zko9s7k+Fxlk/tvMDQdYuFrnp89h68
ucq3xS3MzYejoMADVvQkyDj4mPrzzACf7/1rHXFB1isrRJmKimUAwJELlbdOv43v
iyCqWrGgpYgo9Krln9p1rEp57g8xHV0gZ4KikAD5TpRlaAhtKh4V1HWpVGSi77G+
MIapr+ChCuRr2VJl8zf8/c6S9RFivZqpk1lFA4CNuUisD0EtgL4vDSUEp8u9SYHP
OekmQhZ71FAda3+m4pQQ2zYqFbal7KH84hPQc1s+j6h6LOQ40OXfkSaqf1Eh7wuM
aLZecAesDEzNseZyqaqoqAaYz6UckrrgQR7OAE7rKcSKeUXe61WgbzqUL5wx2/Gw
VeI0AhXe3ZNLVpyaFHCSTR+b3CVwlA/ENYQeKgIMDKxLxoK9fZFR44dRco9GOxck
/4zn0zP/MSk5YGNrw3wu
=RGNy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.